Skip to main content

Breaking down
RTC security

A blog about vulnerabilities and attacks affecting VoIP and WebRTC applications and infrastructure by Enable Security.

Read our newsletter
a phone receiver being crushed by a hand

Posts

 All posts »
Sandro Gauci

Sandro Gauci, Enable Security

We’re hiring a pentester / security researcher

Published on May 4, 2022

Do you know anyone who would like to join the team at Enable Security as a pentester / security researcher? We have a remote open position for the right person. We are mainly looking for someone full-time but persons interested in joining us part-time should also apply. More details can be found at the actual hiring page.…

Read more »
#

root@localhost

One presentation at ClueCon and five security advisories for FreeSWITCH

Published on Oct 25, 2021 in , , , ,

The FreeSWITCH team has just published version v1.10.7 which fixes a number of security issues that we reported. If you use FreeSWITCH, please do upgrade to get these security updates. To learn about the background work that went into getting these security bugs squashed, follow Sandro’s talk called Killing bugs … one vulnerability report at a time. This will be presented at at ClueCon on Thursday, October 28th. Here are the titles of each advisory and a very short summary:…

Read more »

Longer reads

 All articles »
Sandro Gauci

Sandro Gauci, Enable Security

Exploiting CVE-2022-0778, a bug in OpenSSL vis-à-vis WebRTC platforms

Last updated on Apr 8, 2022 in , , , , , ,

Executive summary (TL;DR) Exploiting CVE-2022-0778 in a WebRTC context requires that you get a few things right first. But once that is sorted, DoS (in RTC) is the new RCE! How I got social engineered into looking at CVE-2022-0778 A few days ago, Philipp Hancke, self-proclaimed purveyor of the dark side of WebRTC, messaged me privately with a very simple question: “are you offering a DTLS scanner by chance?” He explained how in the context of WebRTC it would be a bit difficult since you need to get signaling right, ICE (that dance with STUN and other funny things) and finally, you get to do your DTLS scans.…

Read more »
Sandro Gauci

Sandro Gauci, Enable Security

Killing bugs … one vulnerability report at a time

Last updated on Oct 29, 2021 in , , , ,

Executive summary (TL;DR) We tell the story behind the latest FreeSWITCH advisories and how it all came together one sleepless night in April 2021 so that we ended up with 4 vulnerabilities that needed reporting. And then, one more vulnerability found due to a bug in our own software, SIPVicious PRO. We explain how these flaws were discovered, reported, fixed and what we ultimately learned through this process. What is this about?…

Read more »

Abusing SIP for Cross-Site Scripting? Most definitely!

Last updated on Jun 10, 2021 in , ,

Executive summary (TL;DR) SIP can be used as an attack vector for AppSec vulnerabilities such as cross-site scripting (XSS), potentially leading to unauthenticated remote compromise of critical systems. VoIPmonitor GUI had one such vulnerability which highlights this attack vector exceptionally well. The following writeup explores how persistent backdoor administrative access can be obtained by sending malicious SIP messages. This vulnerability was reported by Enable Security and fixed in VoIPmonitor GUI back in February 2021, using standard cross-site scripting protection mechanisms.…

Read more »
Alfred Farrugia

Alfred Farrugia, Enable Security

Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution

Last updated on Mar 16, 2021 in , , , , , ,

Executive summary (TL;DR) We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. So we wrote exploit code using ROP gadgets to get remote code execution by just sending a SIP packet.…

Read more »

Featured articles

 All articles »

Abusing SIP for Cross-Site Scripting? Most definitely!

Last updated on Jun 10, 2021 in , ,

Executive summary (TL;DR) SIP can be used as an attack vector for AppSec vulnerabilities such as cross-site scripting (XSS), potentially leading to unauthenticated remote compromise of critical systems. VoIPmonitor GUI had one such vulnerability which highlights this attack vector exceptionally well. The following writeup explores how persistent backdoor administrative access can be obtained by sending malicious SIP messages. This vulnerability was reported by Enable Security and fixed in VoIPmonitor GUI back in February 2021, using standard cross-site scripting protection mechanisms.…

Read more »

Attacking a real VoIP System with SIPVicious OSS

Last updated on Jun 8, 2020 in , ,

Recently, we put out a target server on the Internet at demo.sipvicious.pro which hosts a Kamailio Server handling SIP over UDP, TCP, TLS as well as WebSockets. Behind that, the observant reader will soon discover that an Asterisk server handles the voicemail and echo services. This is actually a fully functioning (real) VoIP system that’s ready to be attacked. Therefore, in combination, these software packages allow us to reproduce a number of common security vulnerabilities affecting VoIP and WebRTC systems.…

Read more »
Sandro Gauci

Sandro Gauci, Enable Security

Jitsi Meet on Docker default passwords - how bad is it, how to detect and fix it

Last updated on Apr 20, 2020 in , , , ,

Executive summary (TL;DR) Jitsi Meet on Docker contained default passwords for important users, which could be abused to run administrative XMPP commands, including shutting down the server, changing the administrative password and loading Prosody modules. We also provide instructions on how to check for this issue if you administer a Jitsi Meet server. Background story A few days ago we noticed a tweet by @joernchen mentioning something that sounded familiar, Jitsi.…

Read more »
Sandro Gauci

Sandro Gauci, Enable Security

How we abused Slack’s TURN servers to gain access to internal services

Last updated on Apr 6, 2020 in , , ,

Executive summary (TL;DR) Slack’s TURN server allowed relaying of TCP connections and UDP packets to internal Slack network and meta-data services on AWS. And we were awarded $3,500 for our bug-bounty report on HackerOne. A very brief introduction to the TURN protocol The Wikipedia page for this protocol is somewhat handy because it explains that: Traversal Using Relays around NAT (TURN) is a protocol that assists in traversal of network address translators (NAT) or firewalls for multimedia applications.…

Read more »

Subscribe

Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

Interested in working with us? Get in touch

We hate spam and hard-selling and are committed to protecting and respecting your privacy. You can unsubscribe from these communications at any time. By subscribing, you are agreeing to the Terms and Conditions. this site uses reCAPTCHA, the Google Privacy Policy and Terms of Service apply.